Stored Cross-Site Scripting in Royal Elementor Addons for WordPress
CVE-2026-4803

7.2HIGH

Key Information:

Vendor: WordPress
Status: Royal Addons For Elementor – Addons And Templates Kit For Elementor
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-4803?

The Royal Elementor Addons plugin for WordPress contains a stored XSS vulnerability that arises from inadequate input sanitization and output escaping. This specifically affects the 'status' parameter in the wpr_update_form_action_meta AJAX action across all versions up to and including 1.7.1056. The issue is compounded by a publicly disclosed nonce, which permits unauthenticated attackers to gain access to the AJAX handler. Consequently, attackers can inject arbitrary web scripts that execute when users visit affected pages, creating significant security risks for website owners and their visitors.

Affected Version(s)

Royal Addons for Elementor – Addons and Templates Kit for Elementor 0 <= 1.7.1056

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/royal-elemento...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

andrea bocchetti

CVE-2026-4803 Data

JSON